---
description:
  Protect your GraphQL server from CSRF attacks with the `@graphql-yoga/plugin-csrf-prevention`
  plugin. Install it with just one command!
---

# CSRF Prevention

If you have CORS enabled, almost all requests coming from the browser will have a preflight
request - however, some requests are deemed "simple" and don't make a preflight. One example of such
a request is a good ol' GET request without any headers, this request can be marked as "simple" and
have preflight CORS checks skipped therefore skipping the CORS check.

This attack can be mitigated by saying: "all GET requests must have a custom header set". This would
force all clients to manipulate the headers of GET requests, marking them as "\_not-\_simple" and
therefore always executing a preflight request. Apollo does this when using the
[`csrfPrevention = true` option](https://www.apollographql.com/docs/apollo-server/api/apollo-server/#csrfprevention).

By using the `@graphql-yoga/plugin-csrf-prevention` plugin, you can achieve the same!

## Installation

```sh npm2yarn
npm i @graphql-yoga/plugin-csrf-prevention
```

## Quick Start

```yaml
plugins:
  - csrfPrevention:
      requestHeaders: ['x-graphql-yoga-csrf'] # default
```
